Ivanti Releases Updates for Five Critical Vulnerabilities in Connect Secure, Policy Secure, and ZTA gateways

Public proof-of-concept exploit code is available and exploitation of vulnerabilities has been reported

Threat ID:: CC-4446
Threat Severity:: High
Published:: 31 January 2024 3:45 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Public proof-of-concept exploit code is available and exploitation of vulnerabilities has been reported

Affected platforms

The following platforms are known to be affected:

Ivanti Connect Secure

all prior to 9.1R14.5
all prior to 9.1R15.3
all prior to 9.1R16.3
all prior to 9.1R17.3
all prior to 9.1R18.4
all prior to 22.1R6.1
all prior to 22.2R4.1
all prior to 22.3R1.1
all prior to 22.4R1.1
all prior to 22.4R2.3
all prior to 22.5R1.2
all prior to 22.5R2.3
all prior to 22.6R2.2

Ivanti Policy Secure

all prior to 9.1R16.3
all prior to 9.1R17.3
all prior to 9.1R18.4
all prior to 22.4R1.1
all prior to 22.5R1.2
all prior to 22.6R1.1

Ivanti Neurons for Zero Trust Access

all prior to 22.5R1.6
all prior to 22.6R1.5
all prior to 22.6R1.7

Threat details

Public proof-of-concept code and exploitation of vulnerabilities

Ivanti and other security researchers have reported on public proof-of-concept exploit code and exploitation has been found for the following CVEs (Common Vulnerabilities and Exposures).

CVE-2023-46805
CVE-2024-21887
CVE-2024-21893
CVE-2024-22024

If CVE-2024-21887 is used in conjunction with either CVE-2023-46805, CVE-2024-21893, or CVE-2024-22024, exploitation does not require authentication and enables an attacker to craft malicious requests and execute arbitrary commands on the system.

Introduction

Ivanti has released security updates to address five vulnerabilities in supported versions of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA gateways.

Previous high severity Cyber Alert for Ivanti products

The remediation in this high severity Cyber Alert replaces the mitigation in the previous high severity Cyber Alert CC-4432, which did not have updates available at the time.

Vulnerability details

CVE-2023-46805 is an authentication bypass vulnerability in the web component of ICS and Policy Secure with a CVSSv3 score of 8.2 that could allow a remote attacker access to restricted resources by bypassing control checks.
CVE-2024-21887 is a command injection vulnerability in ICS and Policy Secure with a CVSSv3 score of 9.1 that could allow an authenticated attacker with administrative privileges to send specially crafted requests and execute arbitrary commands.

CVE-2024-21888 is a privilege escalation vulnerability, with a CVSSv3 score of 8.8, that could allow an attacker to elevate privileges to that of an administrator.
CVE-2024-21893 is a server-side request forgery vulnerability, with a CVSSv3 score of 8.2, that could allow an attacker to access certain restricted resources without authentication.
CVE-2024-22024 is an XML external entity injection (XXE) vulnerability, with a CVSSv3 score of 8.3, that could allow an attacker to access certain restricted resources without authentication.

Threat updates

Date	Update
15 Feb 2024	Security updates released for all affected appliances currently in support
15 Feb 2024	Severity of this Cyber Alert has been raised to High Security updates released for all supported versions and updated remediation guidance
14 Feb 2024	Exploitation of CVE-2024-22024
12 Feb 2024	Proof-of-concept publicly available for exploitation of CVE-2024-22024
9 Feb 2024	Ivanti have discovered XML external entity injection (XXE) vulnerability CVE-2024-22024 A security update is available for additional versions of Ivanti Connect Secure, Ivanti Policy Secure, and ZTA gateways.
6 Feb 2024	Proof-of-concept publicly available for exploitation of CVE-2024-21893

Remediation advice

Affected organisations must review the updated Ivanti Knowledgebase article addressing all five vulnerabilities and follow Ivanti's guidance on applying security updates as soon as possible.

Remediation steps

Type	Step
Action	Affected organisations are required to run the External Integrity Checker (ICT) utility from Ivanti to detect evidence of compromise (Note - Running the ICT will require a restart of gateway appliances). If evidence of exploitation is detected, organisations are advised to report to NHS England Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected] Integrity checker results must be recorded in responses to this Cyber Alert Note - Even if the ICT has been run previously, organisations are required to use it again in response to this alert. https://forums.ivanti.com/s/article/KB44755?language=en_US
Patch	Affected organisations are required to follow Ivanti's guidance on applying security updates as soon as possible. Connect Secure latest security updates: 9.1R14.5 9.1R15.3 9.1R16.3 9.1R17.3 9.1R18.4 22.1R6.1 22.2R4.1 22.3R1.1 22.4R1.1 22.4R2.3 22.5R1.2 22.5R2.3 22.6R2.2 Policy Secure latest updates: 9.1R16.3 9.1R17.3 9.1R18.4 22.4R1.1 22.5R1.2 22.6R1.1 ZTA: 22.5R1.6 22.6R1.5 22.6R1.7 https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

Type

Step

Action

Affected organisations are required to run the External Integrity Checker (ICT) utility from Ivanti to detect evidence of compromise (Note - Running the ICT will require a restart of gateway appliances).
If evidence of exploitation is detected, organisations are advised to report to NHS England Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected]
Integrity checker results must be recorded in responses to this Cyber Alert

Note - Even if the ICT has been run previously, organisations are required to use it again in response to this alert.

https://forums.ivanti.com/s/article/KB44755?language=en_US

Patch

Affected organisations are required to follow Ivanti's guidance on applying security updates as soon as possible.

Connect Secure latest security updates:

9.1R14.5
9.1R15.3
9.1R16.3
9.1R17.3
9.1R18.4
22.1R6.1
22.2R4.1
22.3R1.1
22.4R1.1
22.4R2.3
22.5R1.2
22.5R2.3
22.6R2.2

Policy Secure latest updates:

9.1R16.3
9.1R17.3
9.1R18.4
22.4R1.1
22.5R1.2
22.6R1.1

ZTA:

22.5R1.6
22.6R1.5
22.6R1.7

https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2023-46805

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Status Published

CVE-2024-21887

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Status Published

CVE-2024-21888

A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.

Status Published

CVE-2024-21893

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Status Published

CVE-2024-22024

An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.

Last edited: 15 February 2024 12:55 pm